Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)

198 points kimi | 1 comments | 17 Apr 25 13:29 UTC | HN request time: 0s | source

Show context

aftbit ◴[17 Apr 25 14:28 UTC] No.43717385[source]▶

As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.

>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...

replies(2): >>43717937 #>>43719581 #

kimi ◴[17 Apr 25 15:02 UTC] No.43717937[source]▶

>>43717385 #

Yes - one of the many things that you can find in OTP is a programmable SSH/SCP client and server. The vulnerability is in the server component.

See for example https://blog.differentpla.net/blog/2022/11/01/erlang-ssh/

replies(1): >>43718289 #

davidw ◴[17 Apr 25 15:29 UTC] No.43718289[source]▶

>>43717937 #

Erlang, because of its architecture, has something of a habit of people rewriting various protocols in Erlang itself, rather than calling out to some C library.

This has pros and cons.

replies(2): >>43718454 #>>43718607 #

1. toast0 ◴[17 Apr 25 15:50 UTC] No.43718607{3}[source]▶

>>43718289 #

Writing protocol code in Erlang is nice, because the parsing is so easy and clear. And if you want to do something that's not so easy by spawning a command, then you may as well build it in Erlang. And it's fun and symmetric to build both a server and a client... I've not looked at OTP SSH code, but I'd assume the ciphering is still calls to external c libraries, as it is in the OTP TLS code.

Of course, easy protocol parsing doesn't do the whole job; state management is required too (and was missed here, clearly).

↑